How do you come up with an ethical framework for dealing with hacked documents? Firstly, it’s useful to look at what concerns are raised when journalists use them.

Looking at previous reporting based on leaked documents these break down into three broad categories:

Firstly, that the information was ‘stolen’ (method)

Secondly, that the motivation behind obtaining the information was tainted (source)

And thirdly, that the information represents an invasion of privacy (effect)

Put another way: people are generally concerned with how the leaked information was obtained, why, and to what effect.

These concerns are not entirely without precedent. In fact, there’s a very close analogy here: undercover reporting.

Obtaining information through misrepresentation

Why? Because the undercover reporter obtains information through misrepresentation: he or she is ‘stealing’ it. That might be anything from documents in an organisation they are working in, to facts divulged in conversations considered private.

Hacking, of course, is obtaining information through misrepresentation. In this case, the hacker convinces a system that they are someone they are not, and obtain information as a result.

The existing framework for dealing with information in those cases requires journalists to ask: “Is it in the public interest? And could the information be obtained by other means?”

“According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

““Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.””

But hacking is different from undercover reporting in one key way: the decision to ‘go undercover’ is not made by the journalist. Which takes us onto another consideration…

‘This is still a criminal act’

“The legal position was straightforward: These documents were obtained through illegal means, but accessing them is not, in fact, illegal; reporting on documents made available through the hack, and even excerpting from them, are covered under both the First Amendment and Fair Use, which protects the reproduction of copyrighted content under the aegis of “enriching” or educating the general public.”

UK media law writer Cleland Thom says the situation is similar in the UK:

“It seems to me there is an easy answer to the “who am I?’ question posed by Blackhurst: You are a journalist. You are not part of the state or the government. Your job is disclosure, not secrecy. You stand aside from power in order to scrutinize it.

“Your job is to be fully sensitive to all the public interests raised by the story—and to publish what you judge to be significant as responsibly as you know how. Only then is informed debate possible. As a journalist, you have as much right to balance those public interests as a politician or a policeman or a judge.”

The ethical tension here – as I explored previously in a book chapter – is between two forms of ethics: the ethics of virtue (“I do not deceive”) and teleological ethics (good or bad impact of actions – or doing least harm).

As the journalist has not done the hacking itself, the ethics of virtue only come into play in terms of ‘handling stolen goods’. But the teleological ethics are much more complex – not just because of the potential negative impact of publishing, but because of the negative impact of not publishing.

In other words, is it better to not publish information even if it is clearly in the public interest, because it has been obtained by illegal means by another person? On those grounds all whistleblowing material would be a no-go area.

“Journalism is, in some sense, permissible thievery. We occasionally catch wind of what our subjects would rather us not know, and we don’t hesitate to report it if it contributes to an understanding of what we’re writing about.”

Yet he doesn’t feel comfortable with reporting on the leaks, because Sony is not a government.

Private companies, public interest

Two things separate Wikileaks and Snowden from Sony, Hacking Team and Ashley Madison: firstly, that the leakers were internal, and secondly, that the organisations were public bodies. That allowed the leaks to be more confidently handled by reporters as ‘whistleblowers’ and ‘in the public interest’.

The lack of those elements makes Variety’s Andrew Wallenstein uncomfortable: “Sony is not a government”, he writes.

“Conflating the imperatives behind covering a government and a corporation feels like a false equivalence to me.”

But is it really? The Verge justified reporting on one revelation from the leaks – plans by the Motion Picture Association of America (MPAA) to “broadly and significantly impact the distribution of information, which would impact how free speech works on the internet” based precisely on how the corporation was involved in a campaign to influence public policy:

“As we’ve combed through this hack … we’ve been weighing each potential story against where it came from. Studio notes on Chappie: worth it? The script for Underworld 5: worth it? The revelation that Sony and the MPAA are engaged in a years-long secret campaign to essentially resurrect SOPA, this time with better PR: worth it?

“On that last one, ultimately, yeah, I think so. It’s not a matter of whether Sony now “deserves” to be cyberterrorized or not, but rather whether the value of what we have learned outweighs how we learned it. We decided that it was important for you to know how the MPAA plans to influence how you experience the internet, and by extension, how they intend to shape the future of the information marketplace; we could all agree that it had more impact on our world and our lives than top-secret internal intelligence that Scott Rudin is a meanie.”

And the broader point is that the public interest does not just mean ‘public body’.

Hackers you like – or hackers you don’t like?

One of the peculiarities of leaks is that the journalist is never quite sure why the information has been leaked. Sony’s hacked documents in particular were problematic for some journalists because they felt they may be being manipulated by the North Korean government.

“I felt that if this hack was indeed carried out by the North Korean government or their sympathizers (which, it should be emphasized, has not been confirmed, but seems the only operable conclusion from what we know so far), the data released by this hack should be considered tainted by its provenance. Not factually, but ethically. Information does not have feelings or agendas, but the people who grant us access to it often do. And by all appearances, the attack on Sony was intended as a knife in the heart of free speech. Which was why part of me was surprised — not shocked, but surprised — at how eager the media was to twist it in.”

Trying to unpick this, I see two ethical considerations at play. The first is about a virtue of ethics again: the journalist wanting to be independent, unmanipulated. Regardless of the wider good, they want to feel personally good.

The second is about a virtue of impact: doing good or preventing harm. The argument is that by supporting North Korea’s (at that time suspected) attack on Sony’s free speech, they are not preventing harm.

This is a very difficult judgement to make, especially when there is no proof of either the motivation (North Korea’s involvement or not) or the effect (would it really stop Sony making films that might offend North Korea?).

In seeking to be independent of North Korea’s manipulation the journalist may actually be manipulated by another actor who may be spreading the false suggestion that North Korea was involved.

As Heather Brooke puts it: “This is where we get into the information war, that speculative blood became more important than the actual blood.”

And of course the leak itself – or part of it – may be faked. So verifying what has been found is as important as with any source.

Tl;dr

Ultimately all the above comes back to that recurring ethical balancing act: does the public interest outweigh the impact of reporting on a company or individual? Will you be doing more harm on the whole by reporting – or by not reporting?

PS: a disclaimer: this post is supposed to be a starting point, not an attempt at a definitive ethical framework. So the most important stuff happens now: please pile in with your own interpretation or references.

UPDATE [April 8 2016]: I was interviewed on this topic for a piece in Vice Motherboard, which explores them further and is well worth a read.

9 thoughts on “In the wake of Ashley Madison, towards a journalism ethics of using hacked documents”

Your focus is largely the question of whether to publish. There’s also how, and when, to publish. Those considerations help clarify why you’re publishing. They will likely expose another set of ethical tensions.

It’s too simple to look only at “whether to publish”, balancing the public interest etc, in relation to this material. It’s not that binary. The manner & timing has the capacity to cause harm or not, to bring benefits or not. So it’s not just a question of the teleological ethics of the binary publish/don’t publish decision.

Thanks – I’m glad you’ve pointed that out. The post doesn’t really explore that enough.
There’s another issue which I need to address as well, which is the potential to draw people’s attention to the unredacted full data.